[RESOLVED] Why doesn't this ABE rule block Java?

Discussions about the Application Boundaries Enforcer (ABE) module
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

[RESOLVED] Why doesn't this ABE rule block Java?

Post by tlu »

In Options -> Embeddings I forbid any objects via Noscript. In order to tighten security I've added the following rule suggested by Giorgio to ABE -> USER:

Code: Select all

Site *
Deny INCLUSION(OBJ, SUBDOC)
I went to http://tools.boerse-go.de/index-tool/ which I've whitelisted in Noscript but for which I did NOT create an exception rule in ABE. But the Java applet on that site is still loaded! How is that possible?
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110319 Firefox/4.0b13pre
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Why doesn't this ABE rule block Java?

Post by tlu »

Another example: If I go to http://blog.mozilla.com/blog/2011/03/ there is this message in the Error Console:
[ABE] <*> Deny INCLUSION(OBJ, SUBDOC) on {GET http://www.youtube.com/watch?v=mv_sq5zpN0M <<< http://blog.mozilla.com/blog/2011/03/, http://blog.mozilla.com/blog/2011/03/ - 5}
USER rule:
Site *
Deny INCLUSION(OBJ, SUBDOC)
.. but I can view the video on that site although no exception rule for mozilla.com exists in ABE. I might have a basic misunderstanding how ABE works ...
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110319 Firefox/4.0b13pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Why doesn't this ABE rule block Java?

Post by Giorgio Maone »

The video on http://blog.mozilla.com/blog/2011/03/ has a non-Flash fallback, through the HTML 5 <video> element which is currently not covered by the inclusion subtypes dictionary.
In fact, if you use just "INCLUSION" (with no further specification) it does get blocked as expected.
Both <video> and <audio> HTML 5 media elements will be matched by OBJ in next version.

Regarding the Java applet, it seems a genuine regression, probably due to recent changes in the Java plugin or its inter-process wrapper: HTTP observers (like ABE) don't get called for Java requests. Fortunately, as you noticed, content policies (like NoScript) do get called so this doesn't affect NoScript's ability to block Java, but ABE's INCLUSION doesn't affect Java requests because they're not seen at all. I'm trying to implement a work-around to be included in next version, thank you for reporting this.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Why doesn't this ABE rule block Java?

Post by Giorgio Maone »

Fixed in latest development build, thank you.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: [RESOLVED] Why doesn't this ABE rule block Java?

Post by tlu »

The latest build works indeed as expected. Thanks a lot, Giorgio!
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110319 Firefox/4.0b13pre
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Why doesn't this ABE rule block Java?

Post by dhouwn »

Giorgio Maone wrote:Both <video> and <audio> HTML 5 media elements will be matched by OBJ in next version.
Hm… Is this really the expected behaviour? Since these are not "plugin objects" (term used in the ABE specification) but are only like what plugins are generally used for, ie. plugin object lookalikes/alternatives/….
But plugins might be also used for displaying images, so using this same argumentation you might also match native IMG elements with this rule which I believe is not what users would generally want (at most maybe as a separate type matcher).
So either change this or update the specification reflecting that OBJ does not just stand for "plugin objects".
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: [RESOLVED] Why doesn't this ABE rule block Java?

Post by Giorgio Maone »

Mmm, I'm probably going to add MEDIA and FONT subtypes, rather than coalescing them with OBJ and OTHER respectively.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: [RESOLVED] Why doesn't this ABE rule block Java?

Post by tlu »

Giorgio, another thought. One big disadvantage of blocking objects by the mentioned ABE rule is that the usual placeholders are not visible. Is this generally impossible in ABE or isn't it just not implemented? If the latter is the issue, implementing this would be highly appreciated as it would make life a lot easier ;)
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110319 Firefox/4.0b13pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: [RESOLVED] Why doesn't this ABE rule block Java?

Post by Giorgio Maone »

tlu wrote:Is this generally impossible in ABE or isn't it just not implemented? If the latter is the issue, implementing this would be highly appreciated as it would make life a lot easier ;)
ABE is designed and implemented to be as decoupled as possible from NoScript and the DOM. Triggering placeholders from it would be quite complicated and would violate this decoupling.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: [RESOLVED] Why doesn't this ABE rule block Java?

Post by tlu »

Giorgio Maone wrote:
tlu wrote:Is this generally impossible in ABE or isn't it just not implemented? If the latter is the issue, implementing this would be highly appreciated as it would make life a lot easier ;)
ABE is designed and implemented to be as decoupled as possible from NoScript and the DOM. Triggering placeholders from it would be quite complicated and would violate this decoupling.
Okay, undestood. So we're patiently waiting for E10 ;)
Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110319 Firefox/4.0b13pre
Post Reply